With cyber crime on the increase, payment card security is increasingly a focus for companies and consumers alike. The Payment Card Industry Data Security Standard (PCI DSS) is there to help businesses accepting card payments to protect their payment systems from breaches and theft of cardholder data. Findings from the Verizon 2017 Payment Security Report demonstrate a link between organisations being compliant with the PCI DSS and their ability to defend themselves against cyber attacks.

Of all the payment card data breaches Verizon investigated, no organisation was fully compliant at the time of breach and showed lower compliance with ten out of the 12 PCI DSS key requirements.

Overall, PCI compliance has increased among global businesses, with 55.4% of those organisations whom Verizon assessed passing their interim assessment in 2016. This is an increase on 2015, when only 48.4% of organisations achieved full compliance during their interim validation. Nearly half of all retailers, restaurants, hotels and other businesses that take card payments are still failing to maintain compliance from year to year.

“There’s a clear link between PCI DSS compliance and an organisation’s ability to defend itself against cyber attacks,” commented Rodolphe Simonetti, global managing director for security consulting at Verizon. “While it’s good to see PCI compliance increasing, the fact remains that over 40% of the global organisations we assessed, both large and small in scale, are still not meeting PCI DSS compliance standards. Of those that do pass validation, nearly half fall out of compliance within a year and many of them much sooner.”

According to the report, the IT services industry achieved the highest full compliance of all key industry groups studied. Globally, about three fifths (61.3%) of IT services organisations achieved full compliance during interim validation in 2016, followed by 59.1% of financial services organisations (which includes insurance companies), retail (50%) and hospitality (42.9%).

The 2017 Payment Security Report also flags the compliance challenges faced by specific business sectors including:

Real-life examples highlight situations where compliance controls are not followed. For example, a financial services organisation seeking exemption from the Wi-Fi requirements of PCI DSS was surprised to learn that it did in fact have a wireless network operating in its building, with this lack of knowledge causing it to fail. The IT administrator had become tired of traipsing from the server room in the basement to the IT Department on the third floor, and so had installed a router to access the servers from his desk.

Mind the ‘control gap’

When looking at the PCI controls that companies would be expected to have in place (such as security testing and penetration tests, etc), the report found an increased ‘control gap’ meaning that many of these basics were absent.

In 2015, companies failing their interim assessment had an average of 12.4% of controls absent. This figure has increased to 13% in 2016.

Simonetti continued: “It’s no longer a question of ‘If’ data must be protected, but ‘How’ in order to achieve sustainable data protection. Many organisations still look at PCI DSS controls in isolation and don’t appreciate the fact that they’re inter-related. Far too often, the concept of control lifecycle management is absent. This is often the result of a shortage of skilled in-house professionals. However, in our experience internal proficiency can be dramatically improved with lifecycle guidance from external experts.”

The 2017 Payment Security Report offers five key guidelines to assist with control lifecycle management:

*Consolidate for ease of management: Adding more security controls isn’t always the answer: the PCI DSS already contains numerous interlinked data protection standards and regulations. Organisations should be able to use this to consolidate controls, making them easier to manage overall

*Invest in developing expertise: Organisations should invest in their people to develop and maintain their knowledge of how to enhance, monitor and measure the effectiveness of those controls in place

*Apply a balanced approach: Companies need to maintain an internal control environment that’s both robust and resilient if they want to avoid controls falling out of compliance

*Automate everything possible: Applying data protection workflow and automation can be a huge asset in control management, but all automation also needs to be frequently audited

*Design, operate and manage the internal control environment: The performance of each control is inter-linked. If there’s a problem at the top, this will impact the performance of the controls at the bottom. It’s essential to understand this in order to achieve and maintain an effective and sustainable data protection programme.

Troy Leach, chief technology officer for the PCI Security Standards Council, stated: “The Verizon report highlights the challenges organisations have in front of them in order to consistently maintain security controls on an ongoing basis and not leave their cardholder data environments vulnerable to attack. This trend was a key driver for changes introduced in PCI Data Security Standard Version 3.2, which focus on helping organisations confirm that critical data security controls remain in place throughout the year, and that they’re effectively tested as part of an ongoing security monitoring process.”

2017 Verizon Payment Security Report

The aim of the 2017 Payment Security Report is not to convince readers of the need for PCI compliance, but rather to track the measurable performance of PCI compliance. This year’s report includes the results from PCI assessments conducted by Verizon’s team of PCI-qualified security assessors for Fortune 500 and large multinational firms in more than 30 countries.

Similar to Verizon’s Data Breach Investigations Report series, the 2017 Payment Security Report is based on actual casework with a specific focus on financial services (47.5%), IT services (22.3%), hospitality (15.1%) and retail (14.4%). Geographies covered include the Americas (42.4%), Europe (28.1%) and the Asia-Pacific region (29.5%).

*Copies of the 2017 Verizon Payment Security Report can be downloaded here

About the Author

Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications)
Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting.
In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector.
In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award.
An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award.
Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site.
Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media.
Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014.

Contact Sales:

Archive Search

All rights reserved. No part of this website may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopy, recording, or any information storage and retrieval system, without permission in writing from the publisher. Content on this website, including materials available for download, are supplied solely for the private use of visitors to this site, and must not be redistributed by third party sites, or as part of any marketing or promotional material, without permission in writing from the publisher.While every care has been taken to ensure accuracy in the preparation of material included in Risk UK (both the hardcopy publications and this website), the publishers cannot be held responsible for the accuracy of the information contained herein, or any consequence arising from it.